'''If time reference is not the same everywhere, then fail2ban won't ban any IP!'''

'''If time reference is not the same everywhere, then fail2ban won't ban any IP!'''

+

+

=== Fail2ban is failing to ban VSFTPD bruteforce ===

+

*'''Scenario:''' VSFTP configuration is set for PAM authentication, using xferlog in standard format. Fail2ban for vsftpd is watching /var/log/secure

+

*'''Problem:''' PAM sends failed login information to /var/log/secure, but the remote server's IP address has been replaced by a DNS name. Resulting DNS name does not resolve or does not resolve correctly, thus fail2ban is unable to ban the IP address.

I get the error "Please check the format and your locale settings"

This is a known bug. Since 0.6.1, Fail2ban uses your locale settings for date and time format. However, some daemons do not take care of locale and write their log messages using the POSIX standard. Please look at this bug for more details.

You can try to override the LANG variable:

# LANG=en_US /etc/init.d/fail2ban restart

You can get all the available locale with:

# locale -a

How do I increase verbosity?

In order to increase the verbosity of Fail2ban, use the command line option -vvv for fail2ban-client and fail2ban (only for 0.6.x). Set loglevel to 4 in /etc/fail2ban/fail2ban.conf (only for > 0.6.x).

Fail2ban is running but not banning SSH bruteforce

NB:This example is based on a Debian system, but can be easily done on any distro.

# fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
....
Success, the total number of match is 30

So, check that all your logs are synchronized: all logs files (auth.log, syslog,..) must use the same time reference (if your server is not very busy, there will probably be an important difference between the output of [1]date command and the last event logged in syslog. You can force to generate a log in syslog using the logger command and check then with the output of date command)

If time reference is not the same everywhere, then fail2ban won't ban any IP!

Fail2ban is failing to ban VSFTPD bruteforce

Scenario: VSFTP configuration is set for PAM authentication, using xferlog in standard format. Fail2ban for vsftpd is watching /var/log/secure

Problem: PAM sends failed login information to /var/log/secure, but the remote server's IP address has been replaced by a DNS name. Resulting DNS name does not resolve or does not resolve correctly, thus fail2ban is unable to ban the IP address.